Mobile internet security

Bob_the_Saver

A very simple question (I suspect the answer might not be)

Is using a mobile internet dongle a more or less secure way of accessing the internet for say internet banking than using a normal home (not Wi-fi) connection?

Hammyman

A dongle is less secure. It is like a modem - you are directly connected to the internet. When you use a ADSL Modem Router, the ADSL Modem Router uses NAT to allow more than one computer to use the single IP address your internet provider assigns you. NAT allows connections TO the internet but won't forward connections FROM the internet to an individual computer unless you manually assign a rule saying "connections from the internet on Port X are to be sent to Computer A". Without those it ignores it. (A port is like a path that a program or a service on your computer uses to talk to a network - for example www is port 80 usually, sending email is port25) To summarise, the risk of a mobile dongle over your home router is from someone on the internet trying to connect to your computer with them initiating the connection in order to exploit a vulnerability as all requests on all ports will be sent to the computer whereas with a router, only incoming ones you've set up will.

BUT DON'T PANIC. Windows has a software firewall which is enabled by default that does the same as NAT does on your router. As long as you don't have malware on your computer which has disabled the firewall, you'll be OK.

Now, online banking was your main concern. It makes no difference. Any insecurity is going to be due to malware on your computer rather than someone randomly trying to make a connection to your computer from the internet. There is malware that remotely allows them to view what you're doing and capture key presses but you'd be vulnerable to that on home wifi as well.

esuhl

Hammyman wrote: »

BUT DON'T PANIC. Windows has a software firewall which is enabled by default that does the same as NAT does on your router... NAT allows connections TO the internet but won't forward connections FROM the internet to an individual computer unless you manually assign a rule saying "connections from the internet on Port X are to be sent to Computer A". Without those it ignores it.

If the 3G dongle is just a modem providing a direct connection to the Internet, NAT isn't necessary (or possible, as far as I know). Domestic routers tend to have built-in firewalls with stateful packet inspection (SPI). It is this process that decides whether incoming packets were solicited or not. The port is just a convention used to indicate the type of traffic, and which application should handle it. For example, port 80 is usually used for HTTP. If you had several computers on your network, they could all use port 80 for HTTP traffic - it's the firewall/router's SPI that decides which computer on your LAN should receive each incoming packet.

If SPI doesn't work because you actually want to accept unsolicited packets (e.g. if my PC was an FTP server), then you can use port forwarding as a workaround. Port forwarding allows you to associate specific incoming ports to an IP address on your LAN.

If the OP has no interest in how all this works, then effectively none of this will make any difference to them. The Windows firewall uses SPI, so Hammyman's advice is fine, but technically it's SPI rather than NAT that I think he/she is referring to, and the port is not used in SPI.

Hammyman wrote: »

Now, online banking was your main concern. It makes no difference. Any insecurity is going to be due to malware on your computer rather than someone randomly trying to make a connection to your computer from the internet. There is malware that remotely allows them to view what you're doing and capture key presses but you'd be vulnerable to that on home wifi as well.

I'd agree with that, but it's also quite risky to use wireless access points outside of your control. A coffee shop might have a perfectly legitimate wireless network called "cafenet"... But I could go into the cafe, set up my laptop to appear as a wireless access point also called "cafenet" and customers would be unable to distinguish between my rogue network and the official one. If I was so inclined, I could intercept traffic, copy cookies, decrypt passwords, etc., and use that information later to log in to your bank account and... well, you get the idea!

Bob_the_Saver

Thanks very much to all for that but to confirm I am talking about connecting with a wireless internet dongle NOT WIFI.

TimothyEBaldwin

All reputable banks secure there online banking websites with end-to-end encryption, typically TLS. It is unlikely any criminal can break that, though possibly one threaten a trusted party, such as any certification agency trusted by your web browser; if spy agencies are your enemy be concerned. However TLS will not prevent anyone from discovering you are doing on-line banking, and with which bank. Also beware of following links on unsecured web pages, such as the main website of your bank, which could be modified by an attacker to point to their website; I suggest using a bookmark.

If you are on the are you are move are more secure from people specifically targeting you as they can't install their bugs in any one place; this is a not a problem for someone who wants to steal anyone's money. Both a home Internet connection and mobile phone networks are vulnerable to tapping into cables.

GSM (which will be used by mobile broadband dongles in the absence of a 3G signal, eg if jammed) is vulnerable to rouge base stations which cost a few hundred pounds, just like unsecured wireless. Alternatively one can passively eavesdrop and break the GSM encryption in a few hours for more money. On the other hand it is trivial for a member of your household to intercept your home internet connection.

As for breaching the security of your PC, a typical home router will not add any security over Windows firewall (where enabled) for Windows Vista and later as it does not block incoming IPv6 connections over Terdeo tunneling.

In summary, the typical bank customer does not need to concern themselves with network security, beyond confirming the correct we site address, typical attacks involve malware and phishing.